Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Error while running PCKIDRetrievalTool to verify

leila888
Beginner
4,619 Views

Hi I am setting DCAP on my azure VM, using link https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html
MY VM is SGX enables and the OS is ubuntu 20.04 , the kernel is 5.15 (SO based on explainations no need to install DCAP driver) my first question is that I can not see DCAP-driver when I run : 

 

 

sudo dmesg | grep sgx
[ 0.555012] sgx: EPC section 0x2c0000000-0x3bfffffff
[ 2.295541] systemd[1]: Set hostname to <sgx-n03>.
[11468.512041] isgx: loading out-of-tree module taints kernel.
[11468.512082] isgx: module verification failed: signature and/or required key missing - tainting kernel
[11468.516710] intel_sgx: Intel SGX Driver v2.11.0
[11468.520319] UBSAN: shift-out-of-bounds in /opt/intel/sgxdriver/package/sgx_main.c:224:11
[11468.526125] sgx_drv_probe.cold+0x16f/0x4b3 [isgx]
[11468.526148] ? sgx_reset_pubkey_hash+0x110/0x110 [isgx]
[11468.526153] init_sgx_module+0x2f/0x90 [isgx]
[11468.529716] intel_sgx INT0E0C:00: EPC bank 0x2c0000000-0x3c0000000
[11468.575432] intel_sgx: second initialization call skipped

 

why?

another issue is that when I Install and config PCCS , and my  network_setting.conf is as follow:#

 

#############################################################
# PCCS server address
# support V3 version PCCS
#PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms
# support V4 version PCCS
PCCS_URL=https://localhost:8081/sgx/certification/v4/platforms
# To accept insecure HTTPS cert, set this option to FALSE
USE_SECURE_CERT=FALSE
###############################################################


###############################################################
# when access pccs, user need provide the token
user_token =password
###############################################################


###############################################################
# Proxy settings:proxy type could be the following three types
# direct: means no proxy used
# default: system default proxy will be used
# manual: when this type was selected, user need provide the proxy_url

proxy_type = direct
#proxy_type = default
#proxy_type = manual
#proxy_url = http://proxy_url:proxy_port
############################################################### 

 

 

when I run PCKIDRetrievalTool to verify,I got this problem:

 

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.15.100.3

Warning: platform manifest is not available or current platform is not multi-package platform.
Error: unexpected error occurred while sending data to cache server.
pckid_retrieval.csv has been generated successfully, however the data couldn't be sent to cache server!

 

 

and in my pccs-server.log:

 

2023-01-04 15:38:44.836 [info]: Client Request-ID : 2dbe514c95564f04aca78c3dee2fd713
2023-01-04 15:38:45.190 [info]: Request-ID is : 80a7bb01846d494cb61067ceca5deb2c
2023-01-04 15:38:45.192 [error]: Intel PCS server returns error(404).
2023-01-04 15:38:45.192 [error]: Intel PCS server returns error. Error code : 404
2023-01-04 15:38:45.192 [error]: Error: No cache data for this platform.
at Module.getPckCertFromPCS (file:///opt/intel/sgx-dcap-pccs/services/logic/commonCacheLogic.js:92:11)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at async LazyCachingMode.registerPlatforms (file:///opt/intel/sgx-dcap-pccs/services/caching_modes/cachingMode.js:163:7)
at async Module.registerPlatforms (file:///opt/intel/sgx-dcap-pccs/services/platformsRegService.js:107:3)
at async postPlatforms (file:///opt/intel/sgx-dcap-pccs/controllers/platformsController.js:40:5)
2023-01-04 15:38:45.197 [info]: 127.0.0.1 - - [04/Jan/2023:15:38:45 +0000] "POST /sgx/certification/v4/platforms HTTP/1.1" 404 32 "-" "-"

 

this is my kernel version:

 

cat /proc/version
Linux version 5.15.0-1029-azure (buildd@lcy02-amd64-076) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #36~20.04.1-Ubuntu SMP Tue Dec 6 17:00:26 UTC 2022

 

 

I'm not sure what the message exactly means.Is it something related to BIOS? How can I solve the problem?

0 Kudos
11 Replies
KFPW_Intel
Moderator
4,578 Views

Hi leila888,

 

Thank you for your interest in Intel® SGX.

 

Linux kernel versions v5.11 and newer have the SGX driver that supports DCAP built in. You should be able to see the SGX device nodes available, ie:

 

ls -la /dev/sgx*

crw-rw-rw- 1 root root 10, 125 Aug 29 13:38 /dev/sgx_enclave

crw------- 1 root root 10, 126 Aug 29 13:38 /dev/sgx_provision

crw------- 1 root root 10, 124 Aug 29 13:38 /dev/sgx_vepc

 

Meanwhile, I am sorry that you faced issues when you install and config PCCS. Thank you for providing the logs, it is very useful.

There is an article that addresses your issue. Refer Article for more information.

 

You can update the BIOS on the system to the most recent BIOS available from the OEM to make the trusted computing base current.

 

Hope that the information provided is useful for you. Let us know if you have any questions.

Thank you.

 

Regards,

Ken


0 Kudos
leila888
Beginner
4,570 Views

Dear KFPW_Intel,

Thanks for your prompt response,

This is the result of 

 ls -la /dev/sgx*
crw-rw-rw- 1 root root 10, 125 Jan 6 08:11 /dev/sgx_enclave
crw-rw---- 1 root sgx_prv 10, 126 Jan 6 08:11 /dev/sgx_provision

/dev/sgx:
total 0
drwxr-xr-x 2 root root 80 Jan 6 08:11 .
drwxr-xr-x 20 root root 3980 Jan 6 08:12 ..
lrwxrwxrwx 1 root root 14 Jan 6 08:11 enclave -> ../sgx_enclave
lrwxrwxrwx 1 root root 16 Jan 6 08:11 provision -> ../sgx_provision

 

which I can not see 

crw------- 1 root root 10, 124 Aug 29 13:38 /dev/sgx_vepc

 

do you know what is the issue?

Besides, I have no Idea how can I update BIOS on VM, and as you can see my linux version is 

Linux version 5.15.0-1029-azure

not OEM. Would you please guide me with this?

Thanks so much

0 Kudos
Junli_S_Intel
Employee
4,557 Views

since your environment is one VM, it is expected result: there is no /dev/sgx_vepc.  And You can find this device node in host. 

 

You don't need update BIOS on VM. In general, the CSP should have done the registration for the platform, but I am not sure why your VM could NOT get PCK certs from Intel PCS. Need time to investigate it. 

 

 

0 Kudos
leila888
Beginner
4,554 Views

Thanks Junli_S_Intel

How can I investigate it? Is there any thing that I have to do?

0 Kudos
KFPW_Intel
Moderator
4,250 Views

Hi leila888,

 

I found this reference that may assist you for your use cases. Quickstart: Create Intel SGX VM in Azure Portal

 

Based on the reference,

 

"For DCsv3 and DCdsv3-series Azure VMs, the Intel certificates can only be fetched from THIM, as it is not possible to make direct calls to Intel service from the VMs"

 

It is suggested to contact their THIM service to assist your platform use cases. This github Azure DCAP Client source may assist you.

 

Regards,

Ken


0 Kudos
leila888
Beginner
4,208 Views

Thanks KFPW_intel.

I have installed the Azure-DCAP-Client and Open enclave, when I try to run sample of microsoft-azure-attestation/sgx.attest.sample.intel.sdk and open enclave attestation sample I get errors in order:

[get_platform_quote_cert_data ../qe_logic.cpp:378] Error returned from the p_sgx_get_quote_config API. 0xe011
Step1: Call sgx_qe_get_target_info: Error in sgx_qe_get_target_info. 0xe011
make: *** [Makefile:22: run] Error 255

 

sudo make runsgxremote
host/attestation_host sgxremote ./enclave_a/enclave_a.signed ./enclave_b/enclave_b.signed
Host: Creating two enclaves
Host: Enclave library ./enclave_a/enclave_a.signed
Enclave1: ***../common/crypto.cpp(80): mbedtls initialized.
Host: Enclave successfully created.
Host: Enclave library ./enclave_b/enclave_b.signed
Enclave2: ***../common/crypto.cpp(80): mbedtls initialized.
Host: Enclave successfully created.
Host: environment variable SGX_AESM_ADDR is not set


Host: ********** Attest enclave_a to enclave_b **********

Host: Requesting enclave_b format settings
Enclave2: ***../common/dispatcher.cpp(79): get_enclave_format_settings
Host: Requesting enclave_a to generate a targeted evidence with an encryption key
Enclave1: ***../common/dispatcher.cpp(133): get_evidence_with_public_key
Enclave1: ***../common/attestation.cpp(94): oe_serialize_custom_claims
Enclave1: ***../common/attestation.cpp(105): serialized custom claims buffer size: 121
[get_platform_quote_cert_data ../qe_logic.cpp:378] Error returned from the p_sgx_get_quote_config API. 0xe011
2023-01-10T08:52:25+0000.824117Z [(H)ERROR] tid(0x7f68e9c27f40) | quote3_error_t=SGX_QL_NO_PLATFORM_CERT_DATA
 (oe_result_t=OE_PLATFORM_ERROR) [/source/openenclave/host/sgx/sgxquote.c:oe_sgx_qe_get_target_info:706]
2023-01-10T08:52:25+0000.825863Z [(H)ERROR] tid(0x7f68e9c27f40) | :OE_PLATFORM_ERROR [/source/openenclave/host/sgx/quote.c:sgx_get_qetarget_info:37]
Enclave1: ***../common/attestation.cpp(121): oe_get_evidence failed.(OE_PLATFORM_ERROR)
Enclave1: ***../common/dispatcher.cpp(153): get_evidence_with_public_key failed
Host: get_evidence_with_public_key failed. OE_OK
Host: attestation failed with 1
Host: Terminating enclaves
Enclave1: ***../common/crypto.cpp(94): mbedtls cleaned up.
Host: Enclave successfully terminated.
Enclave2: ***../common/crypto.cpp(94): mbedtls cleaned up.
Host: Enclave successfully terminated.
Host:  failed 
make: *** [Makefile:27: runsgxremote] Error 1

 

 

 Do you have any ideas?

Thank you

0 Kudos
KFPW_Intel
Moderator
4,163 Views

Hi leila888,

 

Thank you for the your patience.

 

The logs are very useful, the error you encountered may due to the client could not get PCK certs from cache server (THIM or PCCS).

 

In order to get the PCK certs from the cache server, Quote Provide Library (QPL) will be used to fetch the certs. Please check which QPL is used, is it the Intel or Microsoft version?

 

If it is the Intel version QPL, there is one configuration file /etc/sgx_default_qcnl.conf that you need to provide your cache server URL correctly in order to be able to work.

 

If it is the Microsoft version QPL, please check with Microsoft and this Azure DCAP Client source may assist you for your use cases.

 

Regards,

Ken


0 Kudos
KFPW_Intel
Moderator
4,121 Views

Hi leila888,


I hope the information I provided was helpful to you. Do you need further help with this issue?

 

Please inform us if you have any questions regards to this issue.

Thank you.

 

Regards,

Ken


0 Kudos
leila888
Beginner
4,042 Views

Thanks So much problem solved.

0 Kudos
MoMuzammil
Beginner
170 Views

Please can you tell how did you resolve the error?

I am also getting same error message .

I have the similar setup as you using the Azure VM.

0 Kudos
KFPW_Intel
Moderator
4,098 Views

Hi leila888,


We have not heard from you in several days so we will no longer monitor this thread. We hope you were able to resolve your issue. Please start a new thread if you need further help.


Regards,

Ken


0 Kudos
Reply